[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 25.776855] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 29.441454] random: sshd: uninitialized urandom read (32 bytes read) [ 29.758811] random: sshd: uninitialized urandom read (32 bytes read) [ 30.350622] random: sshd: uninitialized urandom read (32 bytes read) [ 30.578670] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.15.217' (ECDSA) to the list of known hosts. [ 36.340277] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 36.463091] ================================================================== [ 36.470594] BUG: KASAN: slab-out-of-bounds in fscache_alloc_cookie+0x7ad/0x880 [ 36.477939] Read of size 4 at addr ffff8801bfa0c394 by task syz-executor268/5341 [ 36.485460] [ 36.487073] CPU: 1 PID: 5341 Comm: syz-executor268 Not tainted 4.19.0-rc2+ #5 [ 36.494342] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.503704] Call Trace: [ 36.506296] dump_stack+0x1c4/0x2b4 [ 36.509909] ? dump_stack_print_info.cold.2+0x52/0x52 [ 36.515083] ? printk+0xa7/0xcf [ 36.518347] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 36.523100] print_address_description.cold.8+0x9/0x1ff [ 36.528447] kasan_report.cold.9+0x242/0x309 [ 36.532838] ? fscache_alloc_cookie+0x7ad/0x880 [ 36.537491] __asan_report_load4_noabort+0x14/0x20 [ 36.542406] fscache_alloc_cookie+0x7ad/0x880 [ 36.546890] ? fscache_cookie_init_once+0x80/0x80 [ 36.551720] ? rpcauth_cache_shrink_scan+0x180/0x180 [ 36.556808] ? __kmalloc_track_caller+0x14a/0x750 [ 36.561639] ? kstrdup+0x39/0x70 [ 36.564991] ? nfs_alloc_client+0x383/0x760 [ 36.569311] ? nfs_get_client+0x8e8/0x14d0 [ 36.573545] ? nfs_init_server+0x357/0x1010 [ 36.577848] ? nfs_create_server+0x86/0x5f0 [ 36.582155] ? nfs_fs_mount+0x17f8/0x2f1c [ 36.586333] ? mount_fs+0xae/0x31d [ 36.589858] ? vfs_kern_mount.part.35+0xdc/0x4f0 [ 36.594597] ? do_mount+0x581/0x31f0 [ 36.598305] ? ksys_mount+0x12d/0x140 [ 36.602090] ? __x64_sys_mount+0xbe/0x150 [ 36.606242] ? do_syscall_64+0x1b9/0x820 [ 36.610294] __fscache_acquire_cookie+0x230/0xb60 [ 36.615131] ? fscache_cookie_put+0x880/0x880 [ 36.619705] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.625225] ? check_preemption_disabled+0x48/0x200 [ 36.630230] ? rcu_lockdep_current_cpu_online+0x1f0/0x2d0 [ 36.635752] ? rcu_dynticks_curr_cpu_in_eqs+0x9f/0x160 [ 36.641031] ? rcu_pm_notify+0xc0/0xc0 [ 36.644909] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.650436] nfs_fscache_get_client_cookie+0x463/0x600 [ 36.655700] ? nfs_readpage_from_fscache_complete+0x200/0x200 [ 36.661579] nfs_alloc_client+0x563/0x760 [ 36.665712] ? register_nfs_version+0x280/0x280 [ 36.670378] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 36.674954] nfs_get_client+0x8e8/0x14d0 [ 36.679019] ? kmem_cache_alloc_trace+0x152/0x750 [ 36.683862] ? mount_fs+0xae/0x31d [ 36.687399] ? nfs_put_client+0x30/0x30 [ 36.691358] ? nfs_alloc_server+0x5ca/0x730 [ 36.695671] ? depot_save_stack+0x292/0x470 [ 36.699976] ? nfs_wait_client_init_complete+0x210/0x210 [ 36.705431] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.710953] ? check_preemption_disabled+0x48/0x200 [ 36.715952] ? check_preemption_disabled+0x48/0x200 [ 36.720951] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 36.726125] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 36.731139] nfs_init_server+0x357/0x1010 [ 36.735277] ? nfs_clone_server+0x920/0x920 [ 36.739584] ? nfs_alloc_fattr+0x48/0x1d0 [ 36.743715] ? rcu_read_lock_sched_held+0x108/0x120 [ 36.748725] nfs_create_server+0x86/0x5f0 [ 36.752858] nfs_try_mount+0x180/0xa80 [ 36.756733] ? lock_downgrade+0x900/0x900 [ 36.760866] ? nfs_request_mount.constprop.18+0x920/0x920 [ 36.766397] ? kasan_check_read+0x11/0x20 [ 36.770532] ? do_raw_spin_unlock+0xa7/0x2f0 [ 36.774928] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 36.779514] ? kasan_check_write+0x14/0x20 [ 36.783733] ? do_raw_spin_lock+0xc1/0x200 [ 36.787962] ? _raw_spin_unlock+0x2c/0x50 [ 36.792117] ? find_nfs_version+0x138/0x190 [ 36.796430] nfs_fs_mount+0x17f8/0x2f1c [ 36.800400] ? nfs_show_options+0x250/0x250 [ 36.804704] ? nfs_clone_super+0x420/0x420 [ 36.808923] ? nfs_parse_mount_options+0x2660/0x2660 [ 36.814027] ? lock_downgrade+0x900/0x900 [ 36.818168] mount_fs+0xae/0x31d [ 36.821516] ? digsig_verify+0x1530/0x1530 [ 36.825754] vfs_kern_mount.part.35+0xdc/0x4f0 [ 36.830337] ? may_umount+0xb0/0xb0 [ 36.833950] ? _raw_read_unlock+0x2c/0x50 [ 36.838082] ? __get_fs_type+0x97/0xc0 [ 36.841953] do_mount+0x581/0x31f0 [ 36.845480] ? copy_mount_string+0x40/0x40 [ 36.849707] ? copy_mount_options+0x5f/0x380 [ 36.854102] ? rcu_read_lock_sched_held+0x108/0x120 [ 36.859141] ? kmem_cache_alloc_trace+0x353/0x750 [ 36.863969] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 36.869493] ? _copy_from_user+0xdf/0x150 [ 36.873629] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.879156] ? copy_mount_options+0x288/0x380 [ 36.883638] ksys_mount+0x12d/0x140 [ 36.887281] __x64_sys_mount+0xbe/0x150 [ 36.891241] do_syscall_64+0x1b9/0x820 [ 36.895113] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 36.900466] ? syscall_return_slowpath+0x5e0/0x5e0 [ 36.905399] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 36.910228] ? trace_hardirqs_on_caller+0x310/0x310 [ 36.915225] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 36.920256] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.925806] ? prepare_exit_to_usermode+0x291/0x3b0 [ 36.930809] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 36.935642] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.940817] RIP: 0033:0x440129 [ 36.943995] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 36.962882] RSP: 002b:00007ffe7f63b088 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 36.970580] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 0000000000440129 [ 36.977831] RDX: 000000002015bffc RSI: 0000000020343ff8 RDI: 0000000020000080 [ 36.985081] RBP: 00000000006ca018 R08: 000000002000a000 R09: 0000000000000000 [ 36.992331] R10: 0000000000000000 R11: 0000000000000286 R12: 00000000004019b0 [ 36.999604] R13: 0000000000401a40 R14: 0000000000000000 R15: 0000000000000000 [ 37.006979] [ 37.008593] Allocated by task 5341: [ 37.012209] save_stack+0x43/0xd0 [ 37.015643] kasan_kmalloc+0xc7/0xe0 [ 37.019343] __kmalloc+0x14e/0x760 [ 37.022875] fscache_alloc_cookie+0x6f7/0x880 [ 37.027376] __fscache_acquire_cookie+0x230/0xb60 [ 37.032249] nfs_fscache_get_client_cookie+0x463/0x600 [ 37.037509] nfs_alloc_client+0x563/0x760 [ 37.041652] nfs_get_client+0x8e8/0x14d0 [ 37.045694] nfs_init_server+0x357/0x1010 [ 37.049823] nfs_create_server+0x86/0x5f0 [ 37.053953] nfs_try_mount+0x180/0xa80 [ 37.057819] nfs_fs_mount+0x17f8/0x2f1c [ 37.061777] mount_fs+0xae/0x31d [ 37.065131] vfs_kern_mount.part.35+0xdc/0x4f0 [ 37.069692] do_mount+0x581/0x31f0 [ 37.073211] ksys_mount+0x12d/0x140 [ 37.076820] __x64_sys_mount+0xbe/0x150 [ 37.080779] do_syscall_64+0x1b9/0x820 [ 37.084653] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.089821] [ 37.091429] Freed by task 3230: [ 37.094690] save_stack+0x43/0xd0 [ 37.098123] __kasan_slab_free+0x102/0x150 [ 37.102344] kasan_slab_free+0xe/0x10 [ 37.106149] kfree+0xcf/0x230 [ 37.109243] security_inode_init_security+0x220/0x3d0 [ 37.114445] shmem_symlink+0x13c/0x960 [ 37.118317] vfs_symlink+0x37a/0x5d0 [ 37.122011] do_symlinkat+0x242/0x2d0 [ 37.125794] __x64_sys_symlink+0x59/0x80 [ 37.129843] do_syscall_64+0x1b9/0x820 [ 37.133714] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.138879] [ 37.140491] The buggy address belongs to the object at ffff8801bfa0c380 [ 37.140491] which belongs to the cache kmalloc-32 of size 32 [ 37.152957] The buggy address is located 20 bytes inside of [ 37.152957] 32-byte region [ffff8801bfa0c380, ffff8801bfa0c3a0) [ 37.164638] The buggy address belongs to the page: [ 37.169554] page:ffffea0006fe8300 count:1 mapcount:0 mapping:ffff8801da8001c0 index:0xffff8801bfa0cfc1 [ 37.178983] flags: 0x2fffc0000000100(slab) [ 37.183205] raw: 02fffc0000000100 ffffea000700c4c8 ffffea0007012788 ffff8801da8001c0 [ 37.191070] raw: ffff8801bfa0cfc1 ffff8801bfa0c000 000000010000003a 0000000000000000 [ 37.198933] page dumped because: kasan: bad access detected [ 37.204620] [ 37.206225] Memory state around the buggy address: [ 37.211140] ffff8801bfa0c280: 00 00 01 fc fc fc fc fc fb fb fb fb fc fc fc fc [ 37.218479] ffff8801bfa0c300: 00 00 01 fc fc fc fc fc fb fb fb fb fc fc fc fc [ 37.225817] >ffff8801bfa0c380: 00 00 06 fc fc fc fc fc 00 00 01 fc fc fc fc fc [ 37.233153] ^ [ 37.237019] ffff8801bfa0c400: 00 01 fc fc fc fc fc fc 01 fc fc fc fc fc fc fc [ 37.244379] ffff8801bfa0c480: 01 fc fc fc fc fc fc fc 00 00 01 fc fc fc fc fc [ 37.251719] ================================================================== [ 37.259057] Disabling lock debugging due to kernel taint [ 37.266113] Kernel panic - not syncing: panic_on_warn set ... [ 37.266113] [ 37.273511] CPU: 1 PID: 5341 Comm: syz-executor268 Tainted: G B 4.19.0-rc2+ #5 [ 37.282170] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.291521] Call Trace: [ 37.294094] dump_stack+0x1c4/0x2b4 [ 37.297703] ? dump_stack_print_info.cold.2+0x52/0x52 [ 37.302892] panic+0x238/0x4e7 [ 37.306064] ? add_taint.cold.5+0x16/0x16 [ 37.310199] ? preempt_schedule+0x4d/0x60 [ 37.314330] ? ___preempt_schedule+0x16/0x18 [ 37.318725] ? trace_hardirqs_on+0xb4/0x310 [ 37.323040] kasan_end_report+0x47/0x4f [ 37.326999] kasan_report.cold.9+0x76/0x309 [ 37.331303] ? fscache_alloc_cookie+0x7ad/0x880 [ 37.335954] __asan_report_load4_noabort+0x14/0x20 [ 37.340866] fscache_alloc_cookie+0x7ad/0x880 [ 37.345342] ? fscache_cookie_init_once+0x80/0x80 [ 37.350176] ? rpcauth_cache_shrink_scan+0x180/0x180 [ 37.355262] ? __kmalloc_track_caller+0x14a/0x750 [ 37.360087] ? kstrdup+0x39/0x70 [ 37.363439] ? nfs_alloc_client+0x383/0x760 [ 37.367738] ? nfs_get_client+0x8e8/0x14d0 [ 37.371952] ? nfs_init_server+0x357/0x1010 [ 37.376252] ? nfs_create_server+0x86/0x5f0 [ 37.380568] ? nfs_fs_mount+0x17f8/0x2f1c [ 37.384696] ? mount_fs+0xae/0x31d [ 37.388221] ? vfs_kern_mount.part.35+0xdc/0x4f0 [ 37.392973] ? do_mount+0x581/0x31f0 [ 37.396667] ? ksys_mount+0x12d/0x140 [ 37.400446] ? __x64_sys_mount+0xbe/0x150 [ 37.404576] ? do_syscall_64+0x1b9/0x820 [ 37.408628] __fscache_acquire_cookie+0x230/0xb60 [ 37.413458] ? fscache_cookie_put+0x880/0x880 [ 37.417942] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 37.423474] ? check_preemption_disabled+0x48/0x200 [ 37.428477] ? rcu_lockdep_current_cpu_online+0x1f0/0x2d0 [ 37.433995] ? rcu_dynticks_curr_cpu_in_eqs+0x9f/0x160 [ 37.439253] ? rcu_pm_notify+0xc0/0xc0 [ 37.443132] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 37.448659] nfs_fscache_get_client_cookie+0x463/0x600 [ 37.453920] ? nfs_readpage_from_fscache_complete+0x200/0x200 [ 37.459791] nfs_alloc_client+0x563/0x760 [ 37.463923] ? register_nfs_version+0x280/0x280 [ 37.468576] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 37.473156] nfs_get_client+0x8e8/0x14d0 [ 37.477201] ? kmem_cache_alloc_trace+0x152/0x750 [ 37.482027] ? mount_fs+0xae/0x31d [ 37.485551] ? nfs_put_client+0x30/0x30 [ 37.489507] ? nfs_alloc_server+0x5ca/0x730 [ 37.493809] ? depot_save_stack+0x292/0x470 [ 37.498111] ? nfs_wait_client_init_complete+0x210/0x210 [ 37.503549] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 37.509067] ? check_preemption_disabled+0x48/0x200 [ 37.514060] ? check_preemption_disabled+0x48/0x200 [ 37.519058] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 37.524228] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 37.529232] nfs_init_server+0x357/0x1010 [ 37.533361] ? nfs_clone_server+0x920/0x920 [ 37.537684] ? nfs_alloc_fattr+0x48/0x1d0 [ 37.541817] ? rcu_read_lock_sched_held+0x108/0x120 [ 37.546819] nfs_create_server+0x86/0x5f0 [ 37.550950] nfs_try_mount+0x180/0xa80 [ 37.554824] ? lock_downgrade+0x900/0x900 [ 37.558953] ? nfs_request_mount.constprop.18+0x920/0x920 [ 37.564473] ? kasan_check_read+0x11/0x20 [ 37.568603] ? do_raw_spin_unlock+0xa7/0x2f0 [ 37.572992] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 37.577559] ? kasan_check_write+0x14/0x20 [ 37.581776] ? do_raw_spin_lock+0xc1/0x200 [ 37.585995] ? _raw_spin_unlock+0x2c/0x50 [ 37.590151] ? find_nfs_version+0x138/0x190 [ 37.594457] nfs_fs_mount+0x17f8/0x2f1c [ 37.598414] ? nfs_show_options+0x250/0x250 [ 37.602765] ? nfs_clone_super+0x420/0x420 [ 37.606981] ? nfs_parse_mount_options+0x2660/0x2660 [ 37.612065] ? lock_downgrade+0x900/0x900 [ 37.616195] mount_fs+0xae/0x31d [ 37.619543] ? digsig_verify+0x1530/0x1530 [ 37.623763] vfs_kern_mount.part.35+0xdc/0x4f0 [ 37.628328] ? may_umount+0xb0/0xb0 [ 37.631977] ? _raw_read_unlock+0x2c/0x50 [ 37.636104] ? __get_fs_type+0x97/0xc0 [ 37.639977] do_mount+0x581/0x31f0 [ 37.643499] ? copy_mount_string+0x40/0x40 [ 37.647714] ? copy_mount_options+0x5f/0x380 [ 37.652109] ? rcu_read_lock_sched_held+0x108/0x120 [ 37.657138] ? kmem_cache_alloc_trace+0x353/0x750 [ 37.661981] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 37.667499] ? _copy_from_user+0xdf/0x150 [ 37.671665] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 37.677198] ? copy_mount_options+0x288/0x380 [ 37.681677] ksys_mount+0x12d/0x140 [ 37.685286] __x64_sys_mount+0xbe/0x150 [ 37.689247] do_syscall_64+0x1b9/0x820 [ 37.693121] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 37.698472] ? syscall_return_slowpath+0x5e0/0x5e0 [ 37.703385] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.708211] ? trace_hardirqs_on_caller+0x310/0x310 [ 37.713210] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 37.718210] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 37.723727] ? prepare_exit_to_usermode+0x291/0x3b0 [ 37.728730] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.733558] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.738729] RIP: 0033:0x440129 [ 37.741907] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 37.760803] RSP: 002b:00007ffe7f63b088 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 [ 37.768494] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 0000000000440129 [ 37.775742] RDX: 000000002015bffc RSI: 0000000020343ff8 RDI: 0000000020000080 [ 37.782992] RBP: 00000000006ca018 R08: 000000002000a000 R09: 0000000000000000 [ 37.790242] R10: 0000000000000000 R11: 0000000000000286 R12: 00000000004019b0 [ 37.797491] R13: 0000000000401a40 R14: 0000000000000000 R15: 0000000000000000 [ 37.805123] Dumping ftrace buffer: [ 37.808661] (ftrace buffer empty) [ 37.812937] Kernel Offset: disabled [ 37.816558] Rebooting in 86400 seconds..